Re: [Snort-users] Rule Chaining
This is a discussion on Re: [Snort-users] Rule Chaining within the Snort forums, part of the System Security and Security Related category; --=-BoC0AAlwn9iUb7wAU1D7 Content-Type: text/plain Content-Transfer-Encoding: 7bit Rule chaining can be done with "Activate" and "...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2005
|
|||
|
|||
Re: [Snort-users] Rule Chaining
--=-BoC0AAlwn9iUb7wAU1D7 Content-Type: text/plain Content-Transfer-Encoding: 7bit Rule chaining can be done with "Activate" and "Dynamic" can it not? Joel On Fri, 2005-02-25 at 11:44 -0500, Matt Kettler wrote: > At 12:25 AM 2/25/2005, Madhur Nagar wrote: > >Hi > >I wanted to knw that does SNORT allow > >1. Rule Chaining - one rule calling another > > Not that I'm aware of. > > >2. Stateful Checking - Checking for a content in say > >10 packets and only if the content of all the 10 > >matches then take some action > > No, but this can be approximated with the threshold keyword. > > >3. Remote Rule Updation > > > Eh? "rule updating"? Yes, snort rules can be updated, but that's done > outside of snort. There's even a handy tool called oinkmaster to help > automate it. > > > >I would also be grateful if someone could please tell > >me in which files is the source code for the rules > >related to the above topics > > Sorry, I don't know off the top of my head.. do some grepping for threshold > in the code. > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users -- Esler, Joel CNTR/Sytex <joel.esler@rcert-s.army.mil> --=-BoC0AAlwn9iUb7wAU1D7 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2"> </HEAD> <BODY> Rule chaining can be done with "Activate" and "Dynamic" can it not?<BR> <BR> <BR> Joel<BR> <BR> On Fri, 2005-02-25 at 11:44 -0500, Matt Kettler wrote: <BLOCKQUOTE TYPE=CITE> <PRE> <FONT COLOR="#000000">At 12:25 AM 2/25/2005, Madhur Nagar wrote:</FONT> <FONT COLOR="#000000">>Hi</FONT> <FONT COLOR="#000000">>I wanted to knw that does SNORT allow</FONT> <FONT COLOR="#000000">>1. Rule Chaining - one rule calling another</FONT> <FONT COLOR="#000000">Not that I'm aware of.</FONT> <FONT COLOR="#000000">>2. Stateful Checking - Checking for a content in say</FONT> <FONT COLOR="#000000">>10 packets and only if the content of all the 10</FONT> <FONT COLOR="#000000">>matches then take some action</FONT> <FONT COLOR="#000000">No, but this can be approximated with the threshold keyword.</FONT> <FONT COLOR="#000000">>3. Remote Rule Updation</FONT> <FONT COLOR="#000000">Eh? "rule updating"? Yes, snort rules can be updated, but that's done </FONT> <FONT COLOR="#000000">outside of snort. There's even a handy tool called oinkmaster to help </FONT> <FONT COLOR="#000000">automate it.</FONT> <FONT COLOR="#000000">>I would also be grateful if someone could please tell</FONT> <FONT COLOR="#000000">>me in which files is the source code for the rules</FONT> <FONT COLOR="#000000">>related to the above topics</FONT> <FONT COLOR="#000000">Sorry, I don't know off the top of my head.. do some grepping for threshold </FONT> <FONT COLOR="#000000">in the code.</FONT> <FONT COLOR="#000000">-------------------------------------------------------</FONT> <FONT COLOR="#000000">SF email is sponsored by - The IT Product Guide</FONT> <FONT COLOR="#000000">Read honest & candid reviews on hundreds of IT Products from real users.</FONT> <FONT COLOR="#000000">Discover which products truly live up to the hype. Start reading now.</FONT> <FONT COLOR="#000000"><A HREF="http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click">http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click</A></FONT> <FONT COLOR="#000000">__________________________________ _____________</FONT> <FONT COLOR="#000000">Snort-users mailing list</FONT> <FONT COLOR="#000000"><A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A></FONT> <FONT COLOR="#000000">Go to this URL to change user options or unsubscribe:</FONT> <FONT COLOR="#000000"><A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A></FONT> <FONT COLOR="#000000">Snort-users list archive:</FONT> <FONT COLOR="#000000"><A HREF="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</A></FONT> </PRE> </BLOCKQUOTE> <TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%"> <TR> <TD> -- <BR> Esler, Joel CNTR/Sytex <<A HREF="mailto:joel.esler@rcert-s.army.mil">joel.esler@rcert-s.army.mil</A>> </TD> </TR> </TABLE> </BODY> </HTML> --=-BoC0AAlwn9iUb7wAU1D7-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
